LastPass Confirms Hack Threat — Warns: Do Not Change Master Password

ByDavey Winder,

Senior Contributor.

The hugely popular LastPass password manager has not just been hacked. This is official and confirmed by LastPass itself, which has issued a warning to users after a hacking campaign using emails stating the precise opposite and urging users to download a malicious update in order to steal master passwords. Here’s what to know and do if you get a “We have been hacked” email purporting to come from LastPass support.

“To be clear, LastPass has NOT been hacked,” Mike Kosak, a senior principal intelligence analyst with LastPass, has confirmed, having taken the unusual step of making such an announcement in an official October 13 blog posting. The confirmation came on the same day that LastPass became aware of a new phishing campaign designed to hack LastPass user accounts, distributed in an email with the title: “We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security.”

The giveaway that these emails are not genuine, in an ideal world, would be the fact that they come from spurious addresses rather than official LastPass ones. Kosak identified these as being “hello@lastpasspulse(.)blog” and "hello@lastpassgazette(.)blog" and, in turn, directing recipients to an equally bogus site “lastpassdesktop(.)com” from where a malicious update could be downloaded. Sadly, it is not an ideal world, and many consumers will still be overwhelmed by the knee-jerk reaction to respond if they think their password manager account has been compromised.